| // Copyright (c) 2011, Mike Samuel |
| // All rights reserved. |
| // |
| // Redistribution and use in source and binary forms, with or without |
| // modification, are permitted provided that the following conditions |
| // are met: |
| // |
| // Redistributions of source code must retain the above copyright |
| // notice, this list of conditions and the following disclaimer. |
| // Redistributions in binary form must reproduce the above copyright |
| // notice, this list of conditions and the following disclaimer in the |
| // documentation and/or other materials provided with the distribution. |
| // Neither the name of the OWASP nor the names of its contributors may |
| // be used to endorse or promote products derived from this software |
| // without specific prior written permission. |
| // THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS |
| // "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT |
| // LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS |
| // FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE |
| // COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, |
| // INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, |
| // BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; |
| // LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER |
| // CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT |
| // LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN |
| // ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE |
| // POSSIBILITY OF SUCH DAMAGE. |
| |
| package org.owasp.html; |
| |
| /** |
| * Pre-packaged HTML sanitizer policies. |
| * |
| * <p> |
| * These policies can be used to sanitize content. |
| * </p> |
| * <pre> |
| * Sanitizers.FORMATTING.sanitize({@code "<b>Hello, World!</b>"}) |
| * </pre> |
| * and can be chained |
| * <pre> |
| * PolicyFactory sanitizer = Sanitizers.FORMATTING.and(Sanitizers.BLOCKS); |
| * System.out.println(sanitizer.sanitize({@code "<p>Hello, <b>World!</b>"})); |
| * </pre> |
| * |
| * <p> |
| * For more fine-grained control over sanitization, use |
| * {@link HtmlPolicyBuilder}. |
| * </p> |
| * |
| * @author Mike Samuel <mikesamuel@gmail.com> |
| */ |
| public final class Sanitizers { |
| |
| /** |
| * Allows common formatting elements including {@code <b>}, {@code <i>}, etc. |
| */ |
| public static final PolicyFactory FORMATTING = new HtmlPolicyBuilder() |
| .allowCommonInlineFormattingElements().toFactory(); |
| |
| /** |
| * Allows common block elements including <code><p></code>, |
| * <code><h1></code>, etc. |
| */ |
| public static final PolicyFactory BLOCKS = new HtmlPolicyBuilder() |
| .allowCommonBlockElements().toFactory(); |
| |
| /** |
| * Allows certain safe CSS properties in {@code style="..."} attributes. |
| */ |
| public static final PolicyFactory STYLES = new HtmlPolicyBuilder() |
| .allowStyling().toFactory(); |
| |
| /** |
| * Allows HTTP, HTTPS, MAILTO, and relative links. |
| */ |
| public static final PolicyFactory LINKS = new HtmlPolicyBuilder() |
| .allowStandardUrlProtocols().allowElements("a") |
| .allowAttributes("href").onElements("a").requireRelNofollowOnLinks() |
| .toFactory(); |
| |
| private static final AttributePolicy INTEGER = new AttributePolicy() { |
| public String apply( |
| String elementName, String attributeName, String value) { |
| int n = value.length(); |
| if (n == 0) { return null; } |
| for (int i = 0; i < n; ++i) { |
| char ch = value.charAt(i); |
| if (ch == '.') { |
| if (i == 0) { return null; } |
| return value.substring(0, i); // truncate to integer. |
| } else if (!('0' <= ch && ch <= '9')) { |
| return null; |
| } |
| } |
| return value; |
| } |
| }; |
| |
| /** |
| * Allows {@code <img>} elements from HTTP, HTTPS, and relative sources. |
| */ |
| public static final PolicyFactory IMAGES = new HtmlPolicyBuilder() |
| .allowUrlProtocols("http", "https").allowElements("img") |
| .allowAttributes("alt", "src").onElements("img") |
| .allowAttributes("border", "height", "width").matching(INTEGER) |
| .onElements("img") |
| .toFactory(); |
| |
| private Sanitizers() { |
| // Uninstantiable. |
| } |
| } |